Re: [funsec] British Television
> I can't believe Young Ones isn't in your list. One of the best ever. >>> Mentioning Monty Python's Flying Circus [...] >> No Benny Hill? >> No Faulty Towers? >> [...] Blackadder? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] I'm stranded in London! Send money!
> Here's a story of someone trying to scam me from a friend's facebook > account which they took over: > http://darkreading.com/blog/archives/2009/06/facebook_419_im.html IMO the real news here is that a bot managed to pass the Turing test well enough that after an hour talking with it you had to resort to out-of-band contacts to be sure it wasn't the person it was pretending to be. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] I'm stranded in London! Send money!
>>> http://darkreading.com/blog/archives/2009/06/facebook_419_im.html >> IMO the real news here is that a bot managed to pass the Turing test >> well enough that after an hour talking with it you had to resort to >> out-of-band contacts to be sure it wasn't the person it was >> pretending to be. > The more I think about it the less likely it seems that it was a bot, > however, what else could it be for such a large-scale scam? The same minimum-wage "Nigerians in cybercafes" that send 419s? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] DefCon Web Site?
> I will make a comment that I hate these white text on black > background sites. It's quite difficult to read. Not nearly as hard as black text on a white background. My actual point here is that this kind of preference is very idiosyncratic - it's one reason I strongly dislike today's Web culture, because it's full of just that kind of "I know better than you what kind of presentation will make this content most useful [or appealing or whatever] to you". And, actually, I find black text on a white background fine - when the display technology is purely reflective, such as ink on paper. For emissive technologies, such as almost all computer displays, the background really needs to be black for me to be able to tolerate it for even mildly extended use. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Stoned Wallabies
>> Let's form a band then. I'll play bass. Dave's got guitar. We can >> rehearse over Skype. Who's got vocals, drums and keys? We can play >> at VB. > Be careful what you wish for. ;-) I can handle keyboards, probably, but Skype, undocumented closed-source mess that it is, is a total non-starter for me. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Microsoft DirectShow (msvidctl.dll) 0-day vuln used in drive-by attacks
> Can you imagine how bad the media backlash will be once there is a > vulnerability announced for .NET after Microsoft forcibly installed > that plugin in FF? Yeah. It will probably be much sound and fury, signifying nothing. That is to say, it will not cause Microsoft's sales to drop significantly. As long as people keep buying, what difference how much the press rants? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Counting down ...
> 2: Since the rest of the world uses a logical, and at least sortable, > dd/mm/yy format, for most of the world it will happen in August. Actually, large fractions of the world use the much more sensible (and far more sortable) -mm-dd format (or /mm/dd, or .mm.dd, or whatever - the separators are probably the least important part). Most of these places, I note, have cultures that go back more than a century or two, and thus have learned to use more than two digits for year numbers. :) Or, at least, large fractions of the Gregorian-calendar world. I don't know what written date formats are used by the peoples that use the Jewish, or Moslem, or Hindu, or Chinese, or Buddhist, or etc, calendars. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] global warming is b/s? nice hatchet job
> For example: there isn't the slightest reason for any security > conference to happen, per se. There's no need to heat/cool a meeting > place, no need to expend jet fuel/gasoline/diesel transporting people > to it, etc. It's completely possible to do the entire thing > virtually -- and while that also uses some energy, of course, it's > far less. Yes, but the benefits are also substantially less. You lose all the meetings at meals, yakking with randoms met in the hallway, etc, which in my experience usually rival and often surpass in value the overt business of the conference. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
> Its not nice, but "terrorist". I think we use this word too easily. This is exactly what some voices of caution were saying would happen to the anti-terrorist laws: they would get (mis)applied to things bearing no relation to what they were put in place to combat. This was not a terrorist threat - except according to the definition in a particular law. A sane jurisdiction would take this as reason to fix the law. (Actually, a sane jurisdiction would not have enacted it in the first place.) The real wonder, to me, is that more people who can relatively easily flee the USA aren't. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
>> The real wonder, to me, is that more people who can relatively >> easily flee the USA aren't. > And go where? At this point, even Canada, for all that it tends to follow the USA's lead, is better - well, of course it depends on your stances on various things; I haven't looked at this from viewpoints other than my own. In particular, extreme anti-socialists and the RKBA camp may have nowhere better even now. Some of the places I'd suggest looking at: .nz, .au, .fi, .se, .no, .ch, .dk, .ca, .fo. I'd probably also look into the rest of the world some - south-east Asia, the Indian sub-continent, and South America come to mind as worth a look-in. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] population controls and the Paul Holdren controversy
> A lot of the left have nasty skeletons in their closet, [...] So do a lot of just about every group of even remotely similar size. > I've had discussions with environmentalists who told me with a > straight face that the extra 4 Million deaths a year that are imputed > as being due to banning DDT were a good thing, because they preferred > birds to people. And what's wrong with that? Just that you disagree? Certainly birds have caused a lot less damage to non-bird life than humans have to non-human life; the only reason I can see for us to prefer people to birds is that we're people. (Which, admittedly, is reason enough for lots of people.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
> The planners: Enarques, Oxbridge and Ivy Leaguers are taking over the > world, and will give us what they think we need, as opposed to what > we want. "What we want" has not proven to be a very good way to govern. There's even an idiom in English - "bread and circuses" - alluding to a rather famous failure of governing by direct popular mandate. While it is also somewhat apocryphal - it comes from a satirist's work - for it to have survived in live use indicates that its referent is common enough for us to need an idiom for it. "What they think we need" is more likely to be a useful approximation to "what we ened" than "what we want" is, I think; that's the point of education, after all. (And, I suspect, most of the apparent deviations from this are due to "them" giving "us" not "what they think we need" but rather "what they want us to have".) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
> BTW, "making terroristic threats" is a very old term of crime, not at > all connected to any recent hysterias. What this guy did sounds to > me like it should be treated as a serious crime. Not to me, not in context. If said seriously, in cold blood, I would agree. In the context outlined, I think that is an insane interpretation. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] population controls and the Paul Holdren controversy
>>> I've had discussions with environmentalists who told me with a
>>> straight face that the extra 4 Million deaths a year that are
>>> imputed as being due to banning DDT were a good thing, because they
>>> preferred birds to people.
>> And what's wrong with that?
> It's mass murder.
If you mean that, why haven't you reported them to law enforcement?
Mass murder usually gets their attention.
If you don't, please stop using inappropriate terminology, especially
when it's emotionally inflammatory. (I won't bother speculating _why_
you chose the more inflammatory but less accurate word.)
> Knowingly killing millions, and causing millions more children to be
> permanently brain damaged, due to an utterly preventable disease,
> Malaria, in order to perpetuate things that you like to see on
> nat-geo is the height of narcissism.
You are jumping to unjustified conclusions ("like to see on nat-geo")
about _why_ these people prefer birds to humans.
I take it you would prefer that DDT resistance had been bred into the
relevant mosquito populations? While it would be difficult to actually
perform the experient, I believe that's what would have happened by now
if we'd continued using DDT anyway.
>> Certainly birds have caused a lot less damage to non-bird life than
>> humans have to non-human life;
> WTF? How many billion insects do birds eat a year?
How many billion insects do humans kill a year? Especially when you
include habitat destruction?
How many species do birds drive into extinction per year? Humans?
> Just because they're cute and you like them, doesn't make them any
> more moral than people in what they consume.
Quite so. That's one reason I chose the word "damage". Eating an
individual of another species does not usually damage that species.
(You're also jumping to unjustified and largely incorrect conclusions
about my attitudes towards birds, but correcting them would leave the
larger point unaddressed.)
There's nothing inherently wrong with anthropocentricism. I have it
myself, to a significant degree; if it's a question of a human dying or
an individual of some other species dying, I will almost always pick
the human to survive. But your dichotomy above about DDT and malaria
is a false one. Humans are capable of taking other measures to deal
with malaria, from preventive chemicals that do not do (as much) damage
to the local ecosystem, to non-chemical measures, to post-facto
curatives, while other species, such as birds, are not capable of
taking measures to pallate or avoid DDT's impact on them.
If a hypothetical outside observer were looking at our planet, trying
to pick a species whose elimination would most benefit the planet and
(the rest of) its inhabitants, I'd have trouble seeing how to justify
any choice other than Homo sapiens sapiens. At least I certainly hope
such an outside observer is hypotheical; I _am_ human myself. :-/
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTMLmo...@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
> This post and your one regarding DDT have shown you for what you are: > a misanthropic elitist who is trying to have his religion (Gaianism) > established by law. Hmm. Thank you for stating it so clearly. Can you explain exactly what you mean by Gaianism? I'm not entirely clear within myself on my religion, and you appear to be able to see into me more clearly than I can. I'm also wondering how I'm trying to get any of this into law. I wasn't aware I was trying to have any law changed (well, not in any way that's relevant to this; I _am_ aware of working for anti-spam legislation in some minor ways). Could you explain that? I'm wondering if I've been lobbying in my sleep or something. > It's OK that you don't believe in a Democratic Republic, Aside from the contradictions in the term, I believe in what I think you mean by it; I've _seen_ some. (Note that this doesn't mean I like them; also doesn't mean I don't.) > human rights trumping those of animals, or free markets, and at least > you are honest about it. You appear to be using "believe in" to mean something more like "support" or "consider good" than the usual sense of the term (which is more like "be convinced of the existence of"). With that rereading: I believe that a republic is one of the half-dozen or so forms of government that's reasonably workable at modern population densities. I believe that human rights trump animal rights in many cases, but I also believe that many so-called "rights" are nothing of the sort, and some that are shouldn't be. (Some businesses, for example, appear to think they have some kind of right to make a profit with their current business plan, even after the world has changed enough to render that plan unworkable.) I also believe many of the cases said to be human rights trumping animal rights are actually human convenience and greed stomping on animal rights (to the extent nonhuman animals _have_ rights; most "rights" are human inventions). Free markets - I'm not sure I believe in them. I don't think I've ever seen an example of one, and with good reason; I suspect such a thing, unless it formed only a small part of a society, would turn into a particularly nasty form of plutocracy, bordering on kleptocracy. (The scientist in me wants to perform the experiment. The humanist shudders at the risk of making life nasty, brutish, and probably short for an entire population.) Even the freeest markets I've seen have had regulations of various sorts imposed. > This was the reason Madison insisted on the second amendment. Lest > the government be perverted by an unaccountable elite. Hasn't worked very well, has it? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
The real wonder, to me, is that more people who can relatively easily flee the USA aren't. > Careful what you say now... you know that Big Brother has members on > this list, too! :-) You don't want to be barred from this country, > do you? I effectively already am; it's been years since I've been willing to voluntarily enter the USA. (When asked what it would take, I usually say, "repeal the Patriot Act and the DMCA and then we'll talk".) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] population controls and the Paul Holdren controversy
>> If a hypothetical outside observer were looking at our planet, >> trying to pick a species whose elimination would most benefit the >> planet and (the rest of) its inhabitants, I'd have trouble seeing >> how to justify any choice other than Homo sapiens sapiens. At least >> I certainly hope such an outside observer is hypotheical; I_am_ >> human myself. :-/ > Won't THEY be surprised when our nuclear plants explode, and our > chemical storage units start venting waste. Depends on how our putative elimination is handled. I can imagine everything from just blink, one moment everything's going as normal, the next every human is dead, all the way to something like humanity's fertility rate falling to the point where despite our best efforts each person produces, on average, < 2 children per lifetime, and lets our population decay down to zero. Even the former I don't think would be that disastrous. Even if our chemical plants break down and vent stuff, even if our nuclear plants _did_ go critical (which I consider unlikely; they are designed to fail in the other direction), I think the planet could deal with the one-time hit. Might be disruptive, but probably not as much so as the late Cretaceous extinction event. It's the _continued_ dumping of assorted crap into the world around us that's so problematic. > Eliminating humans = destroying the planet. I don't think so. We couldn't destroy the planet if we tried. We might be able to sterilize the ecosystem on the surface, but even that would be hard. (We could, fairly easily, kill off major fractions of the large creatures on the surface; this is a long way from sterilizing it and a long _long_ way from destroying it. See http://qntm.org/?destroy for more.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
>> Everything from appendixes to neurons that have a common failure >> mode called "magical thinking". > You mean the imagination, which is why we can visualize what looks to > be impossible and create it? No; "magical thinking" is a technical term. If you're not familiar with it, I'd suggest http://en.wikipedia.org/wiki/Magical_thinking, the Wikipedia page on the subject. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] population controls and the Paul Holdren controversy
> Nor, imo, would the average comet or asteroid even fully eliminate > mankind. Set us back a few centuries or maybe even millennium, but > that's about it. At most. I've had a few discussions with various people about how our doing this or that is liable to lead to killing ourselves off, and I've had to point out that it would be _hard_ to kill off humanity as a species. After all, our primary trait is adaptability. It would be relatively easy (a large comet or asteroid impact would do it) to disrupt approximately all current human societies and kill off a large fraction of humanity - some immediately and directly, a whole lot more as supply chains break down and, eg, cities starve - but it's a self-limiting process; as the human population (and demand for food) crashes, there will emerge plenty of places where hunter/gatherer and subsistence farming become practical. And once they start to recolonize the rest of the globe, they'll find abandoned technology available, which should greatly speed the rebuilding of the knowledge behind that technology - the knwoledge that something can be done is often one of the most important ingredients for figuring out how to do it. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] All your database (and email) are belong to us ...
>> As long as you trust them, Google can probably keep the systems more >> secure than a bunch of random sysadmins who may or may not have >> training ... > That right there is a heck of a point. True - but it's also semi-irrelevant. Whether Google *can* is not nearly as important as whether Google *will*. (The former is necessary but by no means sufficient for the latter.) Given all the other problems they have exhibited, I doubt they will. And, given how high-profile a target they would make, I much prefer to trust in local admins, who, while they may make more mistakes than Google, will make different mistakes from the next site over. This venture of Google's centralizes sysadmin, turning it into a monoculture - and monocultures have caused trouble just about everywhere they've occurred; I expect this to be no different. The real problem is that even if Google _does_ run these systems more securely than (say) LA's own sysadmins, one crack means *everyone's* security is blown, not just LA's. That's the monoculture aspect. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: [Dataloss] Network Solutions was PCI compliant before breach
>> /me spent approximately 9.34934 seconds wondering what these guys >> would classify as an "exact" number. > I was roughly 34.742% certainly you would say that. Jokes aside, "exact" can refer to either accuracy or precision. I suspect that the difference between the two is what's causing trouble here. (What is the difference? Accuracy is how close a number is to reality; precision is how small a number's error estimate is. For example, I could say that there are 3,418,029,600 plus-or-minus 10 humans on our planet at the moment. This is a very _precise_ number, the error estimate being about three parts per billion, but it is a wildly _inaccurate_ number, being about half the actual figure.) I suspect their "approximately" really meant "this is the exact number we have in hand, but we're not all that confident that it truly reflects the reality". /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] How to hijack 'every iPhone in the world'
> "On Thursday, two researchers plan to reveal an unpatched iPhone bug > that could virally infect phones via SMS. [...] Any betting Apple manages to get them gagged before they can present? :( /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Thoughts on Bing
> [...] none of the popular web search engines, including Google, > provide them. (Again, not a criticism: not much point in providing > features for 0.0001% of the user base.) I'm not sure how fair it is to speak of people submitting search requests as Google's (and other similar organizations') "user base". This implies that the primary purpose is to serve those people, which hasn't been true for a long time. The actual situation is that people performing searches are the product and the advertisers are the customers; the search results are just the coin in which the searchers are paid for being part of the product. > It's very difficult to figure out what "the results you want" are, > let alone provide them, when input is just a list of words. I see no reason to think they'd care, and reason to think they wouldn't. Some years ago I had occasion to look for a music typesetting system called "SMUT". I'm sure you can imagine the false positives. When I found they persisted even when I added supposedly-exclusionary terms to the search like "-sex -pussy", I wrote to them about this. Did they fix their exclusionary syntax to work, to not return results I specifically indicated I didn't want? No; they added "typesetting" to a list of search terms which prevented their engine from returning that clutter. IOW, even an explicit indication that you don't want certain results is not enough to stop them from returning them. They clearly don't care what searchers anti-want; I see no reason to think they'd care what searchers _do_ want. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OT: CDC recommends male circumcision as very effective to fight HIV (AIDS)
>> I mean "green parenting for non-toxic, healthy homes" is enough >> to set my fruitloop detector off right there. [...] >> ARoogah aroogah, fruitcakes! > Google it. It's real. Doesn't mean it ain't fruitcakes all the way down. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OT: CDC recommends male circumcision as very effective to fight HIV (AIDS)
I mean "green parenting for non-toxic, healthy homes" is enough to set my fruitloop detector off right there. [...] ARoogah aroogah, fruitcakes! >>> Google it. It's real. >> Doesn't mean it ain't fruitcakes all the way down. > Well, it's not insignificant. I have two boys, and the position of > the Doctors was always "it doesn't matter if you circumcise or not". Oh, sure, the fact of the correlation (which has been known for years, I think, among those watching such things in Africa) is interesting and, for many people, important. But that's not to say that ecochildsplay.com, or whoever wrote their piece, aren't utter fruitcakes. (Doesn't say they are, either, of course. But see below.) > This new statement is pretty significant -- that you can actually > protect against AIDs. (AIDS, actually; it is not a plural.) Yes, you can. That's been known for a long time. Most of the regimens that protect effectively are things, such as sexual abstinence, which are difficult to get large populations to engage in enough to matter. I find the summary in the Subject: somewhat questionable, though; what I've read about the subject has been from parts of Africa where AIDS is endemic, and has indicated that the protection, while statistically significant, is not all that good - certainly not enough to rate "very effective". Perhaps I'm just behind the times, but in view of the other indications I find it more likely that this is fruitcake reporting, or fruitcake massaging of someone else's reporting, or some such. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OT: CDC recommends male circumcision as very effective to fight HIV (AIDS)
>> significant, is not all that good - certainly not enough to rate >> "very effective". Perhaps I'm just behind the times, [...] > I call the claimed 60% better chances of not attracting a disease > very effective. 60%? I don't know that _I_ would call that "very effective", but I do think it's defensible wording for that level of effectiveness. However, I wasn't talking about what the article claimed, but what I recalled from other reading about the "circumcision inhibits AIDS" thing. > Here is a better URL: http://www.nydailynews.com/[...] If that reporting is actually right, then it was my memory flaking out. Perhaps it's just been too long since I read anything on it. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
>> A federal jury in California this week levied a total of $32 million >> in damages from two Internet service providers that knowingly >> supported Websites that were running illegal operations. > This is akin to closing down a freaking bank, because they cashed a > fraudulent check. More like, because they continued cashing fradulent checks for people known to have a history of cashing fradulent checks. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
> The interesting aspect of this ruling is that it [...] has affirmed > [...] that "online behaviour" is (largely) ruled by the same laws, > customs and so on as "real world" behaviours. Except it hasn't, because it isn't. At least not in general. "Online" behaviour _is_ ruled by the same laws and customs as off-net behaviour when all, or at least enough, of the parties are in the same (off-net) jurisdiction. _That_ is what this ruling has affirmed. But, unlike offline behaviour, on-the-net behaviour is very often thoroughly cross-jurisdictional, with no clear way to determine whose laws apply. Someone in Germany buys from a Japanese company through an Egyptian-hosted website paying with a US payment broker and the product ships from Brazil, and it's, um, a little less clear. Nor do you really want it otherwise, I suspect, because I suspect that most of your - and my, and just about everyone else's - on-net actions are illegal _somewhere_. Unless you expect to enforce your laws against others but are unwilling to accept reciprocal enforcement of others' laws againt you. > If you really thought that just because computers, "virtual > communities" and other such electronic ephemeera were involved that > somehow all this "int-duh-web stuff" was magically "different" or > "special", then maybe _you_ are the "special" one??? Not just because they're involved, but because they are fundamentally different. See by blah entry on the subject, http://ftp.rodents-montreal.org/mouse/blah/2009-09-08-1.html, if you're interested in my thoughts on the matter. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
> Idealists might shit bricks because of this, but they should have > struck out for a better internet than one [we have] Some of us did. Then the September that never ended struck, and we got swamped. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
> Do we expect ATT/Verizon/etc. to stop phone service for fraudulent > sales pitches for these same handbags? Phone companies _are_ different. They're common carriers. This gives them a lot of immunities (eg, the above exmaple), but it also gives them a corresponding lot of shackles. The consensus I've seen whenever it's been discussed is that we (FWVO "we") do _not_ want ISPs to become common carriers. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
> "child porn" > That is a whole different can of worms and _that_ is the type of > stuff that should be acted on. There someone is being hurt. Maybe. Didn't Australia recently determine that a cartoon of Bart Simpson was kiddie porn? Mind you, when real kids _are_ involved, I totally agree - string 'em out to dry. But the law is amazing in its capacity for disconnecting from reality; I've seen it said that in some jurisdictions, it's possible for *plain text* to constitute child porn. Even if no children were involved in its creation whatsoever. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Firefox' privacy mode not so private
> With all those webvideo sites around nowadays it is kinda hard to > sound convincing when stating "I don't use flash" :) Well, I suppose you can refuse to believe me if you like, but I certainly don't have anything to do with flash. Nor with "webvideo sites". For the most part I just don't Web, and when I do I use lynx. (Well, except at work, where they've got some marvelous new impediments to getting work done whose only even-minimally-usable interfaces are Web ones, so there's a second machine on my desk for the times when I have to interact with them. Who, me? Annoyed at having to use Web crap? Whatever gives you that idea?) However, that really has little-to-no bearing on the deficiencies in Firefox's local data management (or anyone else's, for that matter); I don't need to use something to recognize that it's behaving stupidly. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] London police scans on the streets with mobile phone scanner
> "People stopped by the police in parts of London are having their > phones scanned and instantly checked against a national database to > determine whether they are stolen. > The on-the-spot checks, reminiscent of Police National Computer (PNC) > checks for stopped vehicles, are being trialled by officers in Ealing > and Bromley. > A handheld wireless device called Apollo scans the IMEI barcode, > usually found underneath a phone's battery*, and [...] IOW, it's based on the IMEI of the phone's case, not the IMEI the phone actually uses. (I believe I have at least one phone whose IMEI does not match that of its case - I had three phones of the same model with assorted, and differing, damage, and swapped parts to get a working phone out of the assortment, and I think the guts of the resulting phone did not come from the same phone the IMEI-bearing part of the case did. Perhaps fortunately, I am highly unlikely to be in the UK in the foreseeable future.) I suppose that's good enough for most cases, but, really, if this silliness has police powers behind it, wouldn't it be easier to just require the cell carriers to collect the _real_ IMEIs? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Certs [was Re: Presidential Internet Kill Switch]
> I think in the long run, we're going to end up looking more at > certification in the sense that CivEs or EE's look at it - something > like professional engineering certification. I doubt this will happen until and unless the field matures enough that it's fair to treat it as an engineering discipline rather than a creative art. That, i'm not sure will ever happen. (I'm also far from sure it won't, too, though.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] mac is not unix [Re: What was that about hubris?]
>> Pause to count number of good games on the mac. s/ on the mac// :-) > But as it was explained to me by a very nice guy, an operating system > is built of three components. The core, the GUI and the command > interface. Of all these, only the last is Unix-based. Well, I do believe Mac OS X is built along those lines. "An operating system" in general may or may not be; indeed, plenty of operating systems do not have anything at all that could reasonably be called a GUI, much less structure like what you sketch. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] mac is not unix [Re: What was that about hubris?]
>>> "An operating system" in general may or may not be [split into >>> core, GUI, and CLI]; indeed, plenty of operating systems do not >>> have anything at all that could reasonably be called a GUI, much >>> less structure like what you sketch. > 1) Either convince me that Cisco's IOS and Juniper's JunOS are in > fact *not* operating systems, or point out to me how they're split > into a core, a CLI, and a GUI. You don't need to go even that far. Just consider NetBSD (or Linux, or whatever) on hardware without a GUI-capable framebuffer - or, if that's not enough, on hardware which can't be given one (I've got a board from Mesanet on which it would be difficult-to-impossible to add GUI-capable hardware). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] mac is not unix [Re: What was that about hubris?]
> "An operating system" in general may or may not be [split into > core, GUI, and CLI]; [...] >> You don't need to go even that far. Just consider NetBSD (or Linux, >> or whatever) on hardware without a GUI-capable framebuffer - [...] > We're talking about Mac here, right? I, at least, wasn't. The original history was [Paul M. Moriarty] >>> [...] a Mac is a UNIX box with a great GUI that [...] [Gadi] >> But as it was explained to me by a very nice guy, an operating >> system is built of three components. The core, the GUI and the >> command interface. Of all these, only the last is Unix-based. to which I replied > Well, I do believe Mac OS X is built along those lines. "An > operating system" in general may or may not be; [...] It's true there was a certain amount of "under OS X" context for what you wrote, since the last sentence is obviously false for many non-OSX OSes for which the first is true (consider, eg, System 7 for 68k Macs). I read that context as applying to only that last sentence, and my "in general" was at least partly an attempt to make that explicit; apparently I wasn't explicit enough to make my meaning clear. I'd argue with your "very nice guy" a little even for OS X, though, since there is a substantial amount of Unix basing in the libc layer, which is used by much more than just the CLI; of the three components listed, it would have to be part of the core. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] mac is not unix [Re: What was that about hubris?]
>> I'd argue with your "very nice guy" a little even for OS X, though, >> since there is a substantial amount of Unix basing in the libc >> layer, which is used by much more than just the CLI; of the three >> components listed, it would have to be part of the core. > What percentage of the core would you consider to be open source? I don't know. There are two reasons for this. (1) It depends on where you draw the line that bounds "the core". I don't consider the "core/GUI/CLI" breakup a particularly useful one, so asking me to draw it is unlikely to produce very useful results. (There are pieces, such as libc, that I would separate out as not really belonging to any of those three portions.) (2) I don't know enough about how much of OS X is open sourced anyway to answer that even if I had a clear and useful definition of "the core". Indeed, "open source" is one of those fuzzy terms that has almost as many definitions as there are people using it (though it's better than "free software", at least) - while there are some things that practically everyone agrees on, it's hard to find any two people that totally agree on where to draw the boundary lines, and indeed some people draw the line at different places in different contexts. Guessing based on what little I've heard about Darwin and what's been said in this thread, I would guess that all, or at least almost all, of "the core" is "open source", for most likely values of "the core" and "open source". /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] mac is not unix [Re: What was that about hubris?]
>> [Paul M. Moriarty] > [...] a Mac is a UNIX box with a great GUI that [...] > You left off the part where I said: > "Yeah, yeah, nitpick about Mach, blah, blah, blah..." I don't find it to be nitpicking. > For what I do with it, the mac is UNIX-like enough for me. ...which is the key here. For someone of whom that's true, it may look like nitpicking, because, for such a person, it is, nitpicking here being the drawing of irrelevant distinctions, and such a person finds those distinctions irrelevant. For anyone who scratches beyond the surface, the situation is very different: I, for example, lost most of an afternoon to one of the sysadmin-POV ways Mac OS X "is not Unix", which makes it hard for me to consider the distinction irrelevant. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Donโt lol โ Cyberbullying is No Jok e in Congress
>> [...], would criminalize cyberbullying, > `(a) Whoever transmits in interstate or foreign commerce any > communication, with the intent to coerce, intimidate, harass, or > cause substantial emotional distress to a person, using electronic > means to support severe, repeated, and hostile behavior, shall be > fined under this title or imprisoned not more than two years, or > both." > Seriously though - do we *really* want to pass a law that could > potentially make a lot of us felons? Perhaps "we" don't want to, but I think the world would be better off without the behaviours described in the quote. If it really would "make a lot of you felons", I believe that "lot of you" need to clean up your acts. Now, if only there were some way to enact it *and* get it enforced fairly *and* suppress mission creep, I might support it. (Not that my support or lack thereof would matter, me being on the wrong side of your northern border) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] dumb. Comcast pop-ups
>>> A *much* smarter move on Comcast's part would be to simply null >>> route any suspected infected computer until it is cleaned up. >> Absolutely. Infected systems should be walled off *in toto* ([...]) >> until they're fixed. > And prevent their customers from some activity on the internet that > may be extremely urgent and important? Yes. One customer's idea of "extremely urgent and important" does not, or at least should not, outweigh the danger to everyone else on the net from failure to keep one's system from getting pwn3d. Anyone depending on the public Internet for anything "extremely urgent and important" is being grossly stupid anyway. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] dumb. Comcast pop-ups
> This is at least a step forward in network hygiene and I'm not > impressed with the notion that this sets up spoof messages; you could > say the same thing about any communications from an ISP. How else > should Comcast notify users? I would suggest picking up the phone. I've worked at an ISP that _did_ notify users who appeared to have pwn3d boxes, and that's what we did. If Comcast thinks they don't have the people to do that, I say that's _their_ problem; their choices are to hire those people, train their users to fall for spoofs, or be a danger to the entire net. Well, at least unless someone comes up with a fourth option. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
> If email isn't fixed (by replacing SMTP), then I'm afraid it'll wane > through attrition, and be relegated to a corporate messaging system. > 16 year olds today tend to use SMS and social applications, [...] > HTTP will probably replace SMTP, and when that happens Google, > Hotmail and Yahoo will be able to elbow out everyone else. And those of us who _do_ use SMTP will be able to take it back again, once its user population is too small to be attractive to spammers. Oddly enough, most of the people I care about communicating with would, I suspect, be among "those of us" if/when that happens. I've already had to block gmail, hotmail, and yahoo for assorted abusive behaviours and am considering blocking the rest of google; if they were to stop doing SMTP I would be delighted. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
> Equally appalling (to me, at least) has been the sharp decline in the > sense of responsibility among network and system operators. [...] > It is this utter failure of responsibility, this profound negligence, > that I think is every bit as much a threat as The Bad Guys. [...] I entirely agree. It's why I (mostly) got out of abuse-fighting: the rot goes, as far as I can tell, clear to the top, and until the mismatch between authority and responsibility - imposed responsibility, that is, since (as you point out) self-assumed responsibility has failed to carry over through the September that never ended and its associated changes - is fixed, everything else is a holding action at best. I am not a crusader, much less a Quixotic crusader, and do not have the energy and stress tolerance to sink into a losing holding action. I now fear that it will take the collapse of the current Internet governance structure to do any good; fixing it is looking less and less likely - less likely for every day that passes with total apparent inaction (total lack of effect, that is, as far as I can see) by the current top of the pyramid. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
>> I now fear that it will take the collapse of the current Internet >> governance structure to do any good; fixing it is looking less and >> less likely - less likely for every day that passes with total >> apparent inaction (total lack of effect, that is, as far as I can >> see) by the current top of the pyramid. > By the top of the pyramid, do you mean IETF or Tier-1 transits? Or > large ISPs? All of the above are examples of failures of self-assumed responsibility. Of those, the closest to what I meant was the IETF, but, as I understand the structure, the IANA or IAB would be more like what I meant. I don't really know the structure of the top of the pyramid. My impression is that the IANA and/or IAB would have to be the entity to impose responsibility when it delegates authority, but ICBW - whom is it the RIRs and domain registrars contract with to get their authority? That's who needs to start imposing responsibility along with authority (and enforcing it, since the delegees don't seem to be accepting it). How that happens is an open question. I don't really expect it to happen at all, honestly, but it could happen if the IANA (or whoever) decides that a functioning net is more important than short-term profit. But I suppose, with the USA Department of Commerce (I think that's who it was) setting themselves up as the next step up, "functioning" probably _means_ "producing short-term profit". /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
> Address space assignments start at the IANA, but they basically farm > out an entire /8 at a time to the regional RIR authorities (RIPE in > Europe, APNIC in the Pacific Rim, and ARIN in US/North America), who > then give out /16's or so to companies. However, they do *NOT*, > repeat *NOT* do any sort of policing [...] Right. That's what I mean: authority is delegated without the concomitant responsibility being imposed. The IANA needs to impose responsibility on the RIRs, since they have failed to assume it themselves; the RIRs in turn need to pass it along. That just ain't happening. As long as that condition prevails, we will have abuses, growing more and more severe until (a) the mismatch is corrected, (b) the system collapses, or (c) a steady state of abuse concomitant to the degree of mismatch is reached. Since the mismatch in this case appears to be total, I expect (b) to happen before (c). I'd still rather see (a), but I hold out little hope for that. > Domain registrations derive from ICANN, [...] ...which, again, is delegating authority without imposing the responsibility to go with it. Gee, and domain registration is another mess. What a _surprise_. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] "Russian Police And Internet Registry Accused Of AidingCybercrime"
>> "Internet registry RIPE NCC turned a blind eye to cybercrime, and >> Russian police corruption helped the perpetrators get away with it, >> according to the UK Serious Organised Crime Agency" Well, duh. RIPE - and all other RIRs, as far as I can tell - has never even tried to do anything about abuse. > This could get interesting. The RIR's have never (to my > understanding) ever tried to validate the business plans of those who > want number resources and insure that they were "legal". Nor should they, I think, per se. It's when they involve abuse of their assigned resources that the RIR has to step up and enforce the responsibility that goes with authority. Independent of whether that abuse happens to be legal, or not, in any jurisdiction. Or, of course, not do so, and watch the abuses grow until they kill the goose that's laying such golden eggs, instead of spending a few eggs to ensure the goose's long-term survival. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Goodbye GeoCities
[top-posting damage repaired manually] >>> Geocities [...] closes today. >> Check out the tribute on www.xkcd.com > Really cool! (Chris posted this link already) Well, it would have been cooler if they hadn't also redecorated the archive page and thereby broken my automated fetch script. :-/ Today's comic *was* pretty good, though. :) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ICANN Approves Non-Latin Domain Name Characters
> So have the security implications of these new domain names really > been thought through? Of course not. Security is an afterthought. Making money for the infrastructure companies comes first. It's been a long time since Internet governance had anything to do with governing well (as opposed to profitably). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ICANN Approves Non-Latin Domain Name Characters
>>> So have the security implications of these new domain names really >>> been thought through? >> Of course not. Security is an afterthought. Making money for the >> infrastructure companies comes first. (In passing, something in your email software is mangling quotes; it replaced two ordinary spaces with non-break spaces. I changed them back in the quote above.) >> It's been a long time since Internet governance had anything to do >> with governing well (as opposed to profitably). > Oh, come off it. There are reasons to make changes to networks other > than security. It's a genuine, non-corrupt reasonable demand that > you should be able to have your own language in DNS. Certainly. All I'm saying is that (I believe) the cha-ching overrode any impluse there may have been toward giving the security concerns anything like the thought they need. (Not that this is surprising; if security were important enough to them for them to have done that, they would have done various other highly visible things first.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ICANN Approves Non-Latin Domain Name Characters
>> It's a genuine, non-corrupt reasonable demand that you should be >> able to have your own language in DNS. > If it's only about language, it's not reasonable at all. "com" isn't > English, gTLDs are another fettle of kish entirely. > "de" isn't German, Hm? I thought the point was that it _was_, that .de came from "Deutschland" - that's why it's .de rather than .ge or some such. > (Poor FYROM. There are '"'s in the country's official name, so it > can't be put into DNS even with IDNA.) Huh? The DNS supports labels containing all 256 possible octet values; the only sense in which it's not fully binary-transparent is the historical botch of treating uppercase ASCII as equivalent to lowercase ASCII. (To my mind, that's the biggest issue with internationalizing the DNS: reconciling the historical behaviours of case-folding the ASCII letters but not any of the various non-ASCII letters. It seems more than passing strange, for example, for snรถrf to be considered equivalent to SNรถRF but not to SNรRF.) Some octets are difficult to use (eg, 0x2e, ASCII '.', or, worse, 0x00), but those are interface issues, not protocol issues. The only reasons you can't register รฅรธรซรญ.com is adminstrative; it would work fine technically. Once you pick an encoding, that is; DNS on the wire deals in octet strings, not character strings. The distinction between characters and character encodings is fundamentally what's behind many issues. It's why, for example, we have an ssh standard that is, strictly, unimplementable on most Unix variants.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ICANN Approves Non-Latin Domain Name Characters
>> (In passing, something in your email software is mangling quotes; it >> replaced two ordinary spaces with non-break spaces. [...]) > Were they Latin non-breaking spaces, or Korean non-breaking spaces? Latin. They were 0xa0 octets, and the part was marked 8859-1. (I wasn't aware there was such a thing as a Korean non-breaking space, but then, I don't know Korean. :-) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Foul
> Bottom line: If a digital control (SCADA, DCS, PLC, etc.) can be > manipulated to cause a system failure, then the control system is > badly designed and lacks the appropriate safety systems dictated by > standard control system design practices. Disagree. There are too many cases where the difference between "failure" and "correct operation" lies only in human-layer intent. As a simple example, if it is possible to shut something down through digital control (for maintenance, say), then it is possible to shut it down maliciously as well. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] whitehouse cyber strategy review
Don't run Windows, morons. > From the "What The Simpsons Taught Me About Cybersecurity" > department, one of my favorite episodes is where somebody explains to > Homer Simpson that people put tennis balls on the tips of their car > antennas so they can find their cars in a crowded parking lot. Homer > says "that's a great idea, everyone should do that!". If I were security dictator, I wouldn't say "don't run Windows". Well, actually, I might - but first, and more importantly, I'd say: no monocultures. Specifically, there are two edicts through which I'd say that: - Don't run anything with over 30% market share. - Each site (FWVO "site") must be run mixed, with at least three different systems each having at least 10% of the network. Yes, the first one means periodic changes. If the second one is followed, they won't be especially drastic. Ideally, I'd add parallel dicta for the hardware - the above are just for the software - but the software ones would, I suspect, get most of the benefit. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Family tech support
>> 2) I install Linux. Zero cost, and she most likely won't ever see >> another malware. It's a no-brainer, really. > Only until you realise that you can count the number of useful > productive programs on linux on thumbs on your left foot. So, you're saying that my workplace has been deluding themselves that they're getting useful things done with the Linux machines there? Each of my workplaces, that should be, actually. > For that matter, linux has no decent games at all. No incentive > there. Oh, come on. You've got nethack; what more do you need? > Toss in all that in your face advocacy and they are doing themselves > no favours. Agreed. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] maybe it's not over- climategate
(In passing, it would help if you would avoid paragraph-length lines.) > My friends who are solidly on the Left are [...] > My friends who are solidly on the Right are [...] > I don't understand the eagerness of either side to find proof that > the world is either ending any minute or that we should be free to > pollute without restriction. > It's more than a little creepy from both sides. While I haven't really studied this in detail - neither the climate itself nor the political/psychological/sociological questions assocated with the politicization you note - it does occur to me as plausible, at least, that what you describe is an aspect of the noisy extremists being the ones who get noticed - and mistaken for the entire sides. Just thinking about the people I know, the ones who espouse positions (either way) vigorously enough for me to be aware of them are a pretty small minority. While this quite possibly is a biased sample, so is your "friends who are solidly on $SIDE" :-) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] maybe it's not over- climategate
>> (In passing, it would help if you would avoid paragraph-length >> lines.) > Any sentence that you can't choke an elephant with isn't long enough. It's not long _sentences_ I mind. It's long _lines_. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Ghosts of steganography past
>> I want to know if people are still using primitive methods of hiding >> information > http://s169.photobucket.com/albums/u210/noodles-1991/?action=viewยคt=1159390191021.jpg&newest=1 > (Go ahead - *try* to claim that's not really primitive stego. ;) I sure don't see any hidden message in it. What am I missing? Or is it just so effective it's defeated my attempts to find it? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Ghosts of steganography past
>> I sure don't see any hidden message in it. What am I missing? > There's a whole bunch of dark pixels towards the center-right top. You mean the rectangle that's 15x14+352+39, give or take a pixel or two? I see no particularly compelling reason to think this is anything other than exactly what it looks like: some small brownish thing on the wall, too small to see clearly at this resolution. Or do you mean the patch which looks like the standing person's hair? That too I see no reason to think is other than exactly what it appears to be: black hair. Or do you have external reason to think there is steganography going on there? If I actually wanted to steganographize in images, I'd do it much more subtly - as a first idea, force the low bit of the blue dc component of each DCT block to match my data (which of course would be encrypted, to make it look like noise). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Foiled terror plot aboard Northwest Flight 253 sparks strict security rules for air passengers
> There are those who say the same is true of the IT security industry: > that we don't address the root problems because the problems keep us > in business. We know that isn't true. Do we? While I know it isn't true of me personally, I feel sure it is true of some fraction of IT-sec people (though I also suspect that fraction is quite small) but is it true of the industry? I don't know. Organizations often exhibit epiphenomenal behaviour very different from and not directly traceable to the behaviours of the individuals making them up. > [...] I don't think there is a single soldier on the planet who > wouldn't give significant parts of their anatomy to bring Bin Laden > to justice. Even if restricted to "the West", I doubt that's so; there are enough soldiers that I feel reasonably sure there are at least a few who really don't much care either way - and substantially more, enough to speak of them as a fraction rather than a count of invidivuals, who just want him dead and justice (FWVO "justice") take the hindmost. Not that I'm happy about either. :-/ (I'm fairly lawfully aligned, and that includes a strong belief in rule-of-law) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] When are we going to start profiling? WAS RE: Don't spend too much time in the bathroom...PLEASE
> If that offends them, then maybe they (and realistically, it is only > the Islamic world that can end the scourge of Islamic terrorism) will > do something about the funding of radicalizing Madrassas and > firebrand clerics that are at the root of the whole problem. Speaking of ignoring the elephant in the room...! I think blaming "firebrand clerics" *is* ignoring the elephant in the room, that being that the USA has been a world-class a**hole to major fractions of the world for a substantial time, and the only surprise to me is that it's taken those chickens this long to come home to roost. Even the best of firebrand clerics can't do much without a substantial level of disaffection in the populace to work on, after all. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] When are we going to start profiling? WAS RE: Don't spend too much time in the bathroom...PLEASE
> Frankly, Airlines should be entitled to not accept passengers on the > basis that they would cause anxiety in other passengers, since they > are private entities trying to make a profit. I think they are also common carriers, aren't they? That gives them privileges, but it also gives them obligations. (There are also a very few grounds on which even private entities are not at liberty to discriminate, and this is treading awfully close to a few of them.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] When are we going to start profiling? WAS RE: Don't spend too much time in the bathroom...PLEASE
>> How will you detect muslims? > Everyone should be required to arrive at the airport 3 hours before > their flight. As they wait, they will be treated to a nice > breakfast. > Search the ones who don't eat the bacon. False positives on Jews, vegetarians, and those trying to be nice to their hearts. Oh, and those trying to game the system by flooding it with FP. :) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] threats abound for 2010 what shall we do, oh my!
> [W]e will probably hear somebody seriously suggest that people ought > to fly naked after the next attack. Now _that_ might even get me back on planes. (I have little-to-no body modesty on my own account; it's something I observe to avoid disturbing others. And I like shaking up established habits - where, as in this case, I see the disruption as basically harmless.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Belarus to (heavily) toughen control over Internet
> He told journalists that a new Internet bill [in Belarus], proposed > Tuesday, would require the registration and identification of all > online publications and of each Web user, So all that's necessary is to use something other than the Web? I also wonder how they're goiiing to enforce registration requirements against "publications" totally external to Belarus - eg, my blah. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] She may not be your first...
> [You] may not be [her] first... http://gevron.livejournal.com/37645.html I agree with you that it's well-done. (I'm not sure I'd go as far as "brilliant", but at worst it's a small exaggeration.) But I also agree with your detractors that it is perpetuative of sexism and offensive in at least a few ways. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] She may not be your first...
>> But I also agree with your detractors that it is perpetuative of >> sexism and offensive in at least a few ways. > If ads went non-offensive to everybody, [...] True enough. It's actually not _that_ it's offensive but _how_ it's offensive - or perhaps to how many it's offensive, or some such. So, merely remarking that it's offensive to me is actually pretty pointless. I need to go into a little more detail. The grounds on which I find it offensive: - It's perpetuative of sexism (as I mentioned), in that it's predicated on the assumption that women are what car buyers find sexy, and, worse, that surface gloss is what makes a woman sexy. - It's perpetuative of various other twisted notions Western (FWVO "Western") society have about sex, such as the idea that sexual inexperience is desirable (it's even so important that it has a special word dedicated to it, at least in English). - It is selling something (to the extent that it does sell it, that is) based on an emotional response rather than on the merits of the "something". Yes, Paul, advertising often depends on emotional responses, but, done right, they are the hook, the attention-getter, not the pitch; for them to be the entire ad is basically telling me-the-target that the merits of the thing don't matter, that I can be led around by my emotional responses. Even - perhaps _especially_ - to the extent that that's true, it's insulting. Unless you think that it actually is a fair analogy to draw parallels between used cars and experience in a sex partner? - I like looking at women's bodies too, as it happens. But what they make me want to do is not go out and buy a car[%]. As such, this feels like bait-and-switch, bordering on fraud, to me: apparently offering sex but actually offering something drastically different. (Maybe I'm an outlier in that I don't get off on cars. I doubt it.) [%] Though given used-car dealers' stereotypical reputation, there may not be all that much difference, in that both constitute getting screwed. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] She may not be your first...
> If a company's advertising offends you, don't buy their products. I don't, but that has no effect since the reason I don't is that I'm not in that market at all. > In the meantime, please do not ram your view (not just you, but > anybody) of right and wrong down my throat. cuz I'm liable to bite > it off. I hardly think discussing it on a mailing list, even upon including mildly detailed bases for my opinions, counts as ramming anything down anyone's throat. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
> Your question: What's the difference between secret and obscure? Well, I'm not the person this was addressed to. But to me, at least, security-through-obscurity is a fair term only when it's applied to things which are inherently difficult to change. For example, suppose I design a super-whizzo crypto algorithm which I (probably incorrectly :) believe is strong, but only if you don't know how it works. Because I presumably can't just come up with another algorithm at the drop of a hat if this one leaks, that's StO. But if I use a good algorithm (Rijndael, let's say) with a key, and the key leaks, it is not inherently difficult to switch keys. It won't hurt my security for you to know everything but the easy-to-change piece, so it's not StO. (It may be difficult in certain cases to do a key change, but that's because of factors peculiar to the context; it is not _inherently_ difficult.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] fog of cyberwar
> Thoughts? Oh yes. :) > 1. Did Google hack a Taiwanese server to investigate the breach? If > so, good for them. Strongly disagree (even aside from the misuse of "hack"). Abuse such as using others' computers without their consent is never acceptable. Especially for those who attempt to claim some kind of "good guys" moral high ground. > 2. [Microsoft's] over-all policy is very disturbing and in my opinion > calls for IE to not be used anymore. IE should not be used anymore? What took you so long? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Here We Go Again: Internet 'Drivers Licenses'
> Wow, and the 2004 Indian Ocean tsunami killed (re: Wikipedia) almost > 230,000 people. How many millions would die in a cyberwar? Depends on what gets hit. Take over the SCADA for New York City's utilities, especially at this time of year, and you could kill a substantial fraction of the city. Over 230K would not surprise me. Of course, the hard part would be keeping it doing what you want; I don't know to what extent it would be possible to switch back to manual control for the most essential services, and whether it could be done fast enough. And, of course, on whether you could reach them at all. I don't know how intelligently they are secured, but I'm pessimistic. All it takes is one slip-up, and governments have a poor track record at listening to the people who actually know how to do that kind of thing right /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
>> Yes, I'm currently seeing about 98% spam. At what percentage does >> email become useless? > Food for thought, or fuel for the flames Or perhaps both. :) > One should ask the US Post Office. ["snail spam"] > Next talk to Ma-bell. Without the no-call list, how many junk phone > calls do you get vs want? [...] > Granted I get more per day in email, but the rates of ham/spam is > "about the same". Interesting. While in my case it's not the _US_ post office, I've been doing something akin to the same exercise as a back-of-the-envelope estimate, and I see very different numbers. Snail spam is mostly under control for me; I'd say no more than half the paper in my mailbox is junk. (That's including junk such as ads from the telco I get my home phone service from, which, while it's unwanted advertising, is not really snail-spam because of the EBR; it scales just fine.) Phone spam is vaguely comparable, though details depend on whether you roll my cell in with my land line - calls to the cell are, as far as I can recall, 100% ham. (I've gotten a few SMS spams, but after demonstrating in 2003 to my provider that I really was willing to cancel over them - some six-plus years - I've gotten only three.) > On television, you get ads every few minutes, not counting blatant > product placement. And that's a major part - probably more than half - of why I don't have a television and watch very little television even at my gf's, where I could. I don't know how much of the email aimed at me is spam; most of it is stopped before my end receives enough of it to tell, some of the worst so early I don't even have connection attempt counts (my border router blocks cruise at about 800 IPs these days). Roughly half the rest is turned away; almost all of that is spam, and almost all the stuff that gets through to my mailbox is ham. So, I don't have definite numbers. But I'd say email is significantly worse than other media for me. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
> We are well past the time when default-permit policies are workable. That's odd. I wonder in what way my email setup is unworkable. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
> It's simply not efficient or cost-effective any more (at least for > the operations I'm involved with) to grant mail privileges to > everyone on the planet by default. Nor is it desirable to do so and > then attempt to winnow wheat from chaff, as this is more difficult > and more expensive and more error-prone all the time. Actually, I believe it is extremely desirable; it's just even more extremely expensive. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
>> Perhaps some lucky folks can still get away with it: if so, great. > If you think those who have to, by virtue of commercial need or > policy, run "wide open and only deny known bad" networks are "lucky", > you have an odd definition of luck. I think rsk wasn't so much talking about those for whom it's "yeah, the costs are high, but the costs of not doing so are for us even higher" as much as those for whom it's more "that's odd, the costs are so low for me it's still practical". And, by that reading, I agree with him. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Email Portability Approved by Knesset Committee
> According to this proposed bill, when a client transfers to a > different ISP the email address will optionally be his to take along, > "just like" mobile providers do today with phone numbers. Ooo. I smell a huge unfunded mandate. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Taking out a botnet: legally ...
> http://news.bbc.co.uk/2/hi/technology/8537741.stm > This one could start a very interesting trend ... I can hardly wait for the joejobs to start. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Loyalty cards track epidemic
> http://www.cbc.ca/health/story/2010/03/12/consumer-salmonella.html > Not sure that privacy concerns are an issue. Well, it quotes an epidemologist as saying that "[t]he records are treated with the same level of confidentiality as would medical records", which I find scary. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Typosquatter vulnerable to SQL injection!
I tried to look at a webpage, typoed the domain name, and got select chrOrgType from tblOrgName where chrOrgName='The Rodents' Nest' limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Nest' limit 1' at line 1 Guess who's vulnerable to an SQL injection attack! (I must admit a temptation to take a leaf from xkcd #327 and change my org name to "xyz'; DROP TABLE tblOrgName; --" and hit the page again, but between the effort involved and the fundamental ethical issues with vandalizing even a typosquatter's system, didn't.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Jedi Packet Tricks
> Just seeing the words "remote factory diagnostic mechanism" makes me > cringe... Yeah, and this is exactly why. But, also, Because networking cards have direct access to the computer's memory, that's an indication you're using a busted architecture - and this is why. Sane machines have an MMU between the bus and main memory. The VAX did this back in the '70s and '80s; the SPARC did it in at least some of its incarnations. Apparently computer designers are another group that doesn't learn from history (not that that's a *surprise*, exactly, but it's certainly disappointing). More reasons - as if we needed them - to avoid running peecees. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Only 140 characters, eh?
> http://www.readwriteweb.com/archives/this_is_what_a_tweet_looks_like.php > All the info (metadata) that comes with a tweet. If, that is, you can figure out what it is that scribd.com wants before it's willing to show it. It seems to want a login, but is a bit confused - it says "Login Successful" on the same page as the text asking me to sign up, sign in, reset my password, and, just in case that wasn't confused enough, also claiming that "[my] download will begin shortly..." (which it doesn't, and I think can't). It also says We've highlighted your search query ''. Click here to turn off highlighting. You've turned off search term highlighting. Turn highlighting back on. It's clearly pretty confused over _something_. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Security research vuln pimps
> Have you ever heard of a terrorist referred to as a "demolition > engineer?" How about a thief as a "locksmith?" [...] > Why does this matter? Well, it's a matter of principle: One is > either part of the problem or part of the solution. [...] (I don't think it's that black-and-white, actually, but that's distinctly a side note.) > It's time to draw a line in the sand. The time to draw that line was when crackers and malware authors and the like started getting called "hackers". I have trouble taking this very seriously now. You didn't help us when our name was being abused by the media for the bad guys; why should you expect any more help now that the shoe is on the other foot? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Security research vuln pimps
>> If you tell the world about a flaw in operational software/hardware, >> you increase the pool of threat agents that know about it, increase >> the likelihood they will attack, and increase the chance they will >> be successful. True...as far as it goes. Oddly enough, you also increase the pool of people competent to fix the issue, increase the likelihood it will be fixed promptly, and increase the likelihood that workarounds will be deployed in cases where they can be. Which outweighs the other? That depends. But pretending the good effects don't exist makes about as much sense as other people pretending the bad effects don't exist. Neither one matches reality, and taking actions based on beliefs that disagree with reality is not a good way to get the results you want. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] More on the Lower Merion school district webcam debacle
>> Unless that IT dept was bright enough to do low level formats. > I would dearly love to do computer forensics against someone stupid > enough to think that a low level format actually erased any > significant data ... In my experience, it does. It is, however, often confused with merely rebuilding the filesystem, which is _not_ a low level format and does _not_ destroy any significant amount of data (in most implementations). A real low level format involves laying down completely new timing tracks and such, and will destroy all data unless you're willing to open the drive in a cleanroom and look at residual magnetization patterns and the like. It's not always possible; for example, I don't recall seeing any ATA command for it. SCSI has the FORMAT UNIT command, which, if done right, is a real reformat - I don't know whether modern drives actually do a reformat or not. (On the few occasions when I've wanted a real reformat of a SCSI drive, FORMAT UNIT has, as far as I can tell, done it.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] More on the Lower Merion school district webcam debacle
>> A real low level format involves laying down completely new timing >> tracks and such, and will destroy all data unless you're willing to >> open the drive in a cleanroom and look at residual magnetization >> patterns and the like. > There is approximately *zero* actual real-world evidence of the "read > the residuals" actually working on any disk drive less than 15 years > or so old. I didn't mean to imply otherwise. Perhaps I should have added a parenthetical "(and quite probably not even then)". /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers [was: And Facebook sells user data, too ...]
> Facebook does not spam. Then they're picking on me, because the only way in which the mail they've aimed at me can be non-bulk is if they're doing it to only me (or some tiny subset including me - which subset would have to include people as unrelated as Paul Vixie, based on his mail here a few weeks ago). There's sure no question of it being email or unsolicited, leaving only the "bulk" leg of the UBE tripod in question. (Yes, the mail is substantively identical; the one I got to my netbsd.org address, the one Paul Vixie reported, and the one I got to a mailing list(!), all look identical except for mailmerge-style customizations.) It also has opt-out links, which, like all good spammers' remove-list links, are Web-only - they even call it "unsubscrib[ing]", implying that victims are on a list, not just getting one-offs. Even if it's somehow not spam, it's sure going out of its way to look like it. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers [was: And Facebook sells user data, too ...]
> If a person opens their email client -- and you do in fact know them > or would not otherwise object to get an email from them -- and they > email you, then it is not spam. It may be unsolicited, but it is not > spam. Agreed? Not necessarily. If said person mails me as part of a bulk mailing, it may indeed be spam. (It's relatively unlikely anyone I actually know would do that, but that's not really relevant.) >> There's sure no question of it being email or unsolicited, leaving >> only the "bulk" leg of the UBE tripod in question. > It is mail, and it is unsolicited, but it is not bulk. I'm having trouble seeing how it's not. Substantively identical messages, sent in relatively large quantity, to people as unrelated as me and Paul Vixie? Indeed, in a number of cases, apparently sent to entire scraped address books? (For example, most of the ones I've seen sent to mailing lists.) Also notable (in that it vitiates your casting of them as just a somewhat unusual webmailer) is that I can't think of a case in which I had any clue who the nominally provoking person - the name Facebook sticks in the From: - was. Of the three examples I find in my incoming mail that hasn't yet rolled off the end of my historical records, two were sent to mailing lists I'm on and the third was sent to my NetBSD address; in none of these cases do I recognize the name in the From:. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers [was: And Facebook sells user data, too ...]
>>> It is mail, and it is unsolicited, but it is not bulk. >> I'm having trouble seeing how it's not. Substantively identical >> messages, sent in relatively large quantity, to [unrelated people]? >> Indeed, in a number of cases, apparently sent to entire scraped >> address books? > I already answered this very point in my previous email, namely I > discussed how the messaged differ from each other both in the action > of sending being individual, and the messages similarity being > analagous to any web mail service with a signature line option. If any such webmailer put such an "invitation" in someone's signature and then proceeded to send out mail with nothing but that "signature", I'd call it spam too. Anyway, I see no point in continuing the conversation; it's clear you have (for whatever reason) some unwillingness to accept Facebook as spammers. Fine; I don't much care what you think of them - but it doesn't affect my own opinion of them. > Try it, see for yourself. No. Quite aside from an unwillingness to have anything to do with them on spam grounds, I have at least two other reasons to stay away from Facebook: (1) they (try to) inflict ads on their users (presumably they've adopted the cable-tv business model of treating their nominal users as product to be sold to their real customers, the advertisers), and I will not tolerate that; and (2) as far as I can tell, the only interface they have for their users is a Web one, and what they offer is nto nearly enough payment to make me subject myself to a Web-only interface, especially since they can't be arsed to even _try_ to support any text browsers. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers
> and I have a feeling you would not view them as such spammers if they > did not offer an "unsubscribe" option, I don't know about Paul Vixie, but, if your feeling applies similarly to me, it is wrong. > Putting them in the same boat as these law breakers and abusers > doesn't sit well with me, And not doing so doesn't sit well with me. So what? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers
>> when they send me mail because one of their users clicks "add buddy" >> that's borderline. when they send me followup mail because i didn't >> answer, then that is spam, 100%, and inarguably so. > As someone who is in a position to architect a similar feature for a > web site in the near future, how would you suggest this type of > action be implemented? I'm not Paul, but, my answer is, "not". Not that I expect my opinion to make any difference. > The system needs a way for people to invite their friends/colleagues > to participate in the system and e-mail offers the least friction. Why does it need such a way? What's wrong with letting your users invite their friends and colleagues personally and directly, via whatever means they happen to have at hand for communicating with the friends and colleagues in question? That started out as a rhetorical question, but it actually is a good question to ponder. What _is_ wrong with it? Why do you feel a need to offer a send-an-invite option yourselves? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers [was: And Facebook sells user data, too ...]
> I quite understand why you'd prefer to claim that [1] I do not > understand the definition of spam (which none of us argued, and we > based our discussion on) or that [2] I am not experienced enough to > understand it. Well, you are certainly exhibiting a rather.."unusual"..understanding of it - of the "bulk" leg of the tripod in particular. Whether this is due to inexperience or stubbornness or what is actually pretty much irrelevant (though maybe interesting from a sociological perspective). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers [was: And Facebook sells user data, too ...]
>> [...Facebook...spam...] > I find it fascinating that you refuse to even differentiate between > spammers who illegally use resources such as botnets ([...]) and send > completely forged emails with illegal scams in them, from emails sent > by users through a web service that is equivalent to them, in their > work environment, and sent each time specifically to one person whose > email they type in. Well, the question-begging involved in your implicitly equating Facebook's mail with the latter aside, I don't refuse to differentiate between them, *except* in the one respect that I still call spam spam regardless of which one it comes from. Content issues such as "forged" and "illegal scams" are pretty much irrelevant when it comes to whether something is spam. (Well, to me.) Not quite totally irrelevant, since in some cases the content affects (un)solicitedness and "substantively identical" is one line in the sand for bulkness, but mostly. > No matter how much you dislike what Facebook are doing, your refusal > to differentiate between the two examples is something I can't > comprehend. Well, as I said, I don't refuse to differentiate between them in general. However, the discussion has focused on whether the mail sent is spam, and in that one respect I don't see any difference. > Further, you nor Rich specified complaints (which were backed up or > followed up on) other than a generic dislike on how Facebook's emails > work, other than the fact that they exist. What? There has to be something specific wrong with spam other than its being spam? > What I can't accept is your lack of arguments other than ad hominem, What ad hominem? Rsk came mildly close, but I don't think either Paul or I (as the other two principal contributers to this side of the thread) have gone anywhere near ad hominem. > Web invitations when done by user request, and without "nagging" or > skipping opt-in, are an acceptable industry norm. Leaving aside the question-begging aspects of your implicitly equating this to what Facewbook does, and the blatant question-begging of your tagging "acceptable" onto that: being industry norm does not make something either acceptable or non-abusive. Spam is industry norm; estimates of the percentage of mail traffic that is spam - even the stuff even you would call spam - are generally in the high 90s, and I don't know of anyone who puts it below 3/4. And for other abusive norms in the industry, we can start with the catastrophic mismatch between authority and responsibility which is killing the Internet. > Gmail does it. Yahoo does it. CNN does it. I find it interesting that two of the three organizations you cite as justification for your position are ones I've had to block in toto because of blatant, egregious, and repeated abuse issues. Citing them in support of your argument is pretty close to an own goal, in my opinion. As for the third, it might be instructive to look at the differences, because I can't recall ever getting such an "invitation" from them, whereas I get them from Facebook often enough to have been exasperated with them long before this discussion started. Might be the statistics of whom I know, but maybe not, too - something like half the Facebook spam I get I get through mailing lists. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers [was: And Facebook sells user data, too ...]
> And the main issue you have a problem with is bulk, right? Not really; that's just the point we disagree on. Solicited bulk I have no issues with. > Please help me here with how an action taken by an individual user > typing in emails is bulk? I don't believe that's all that's going on here. Unless Facebook attracts people using MUAs with a "send to my entire address book and everything you can find in my mailbox" button and too little sense to realize when it's inappropriate to use it. >>> Gmail does it. Yahoo does it. CNN does it. >> I find it interesting that two of the three organizations you cite >> as justification for your position are ones I've had to block in >> toto because of blatant, egregious, and repeated abuse issues. >> Citing them in support of your argument is pretty close to an own >> goal, in my opinion. > They are not a justification, they are an illustrative example, see > above. Still seems like an own goal. They are very illustrative indeed - of how abusive a mailer can be. > And here is the point, was the abuse done by them, or by their users? By them. In the case of Yahoo, the final straw for me was once when I report4ed a spam drop-box webpage they were hosting; they replied with a "this mail wasn't sent through us" boilerplate, which of course was true but irrelevant. I wrote back pointing this out and get the same response. I cut everything - spam, previous correspondence, and all, and wrote a little two-line mail asking something like "is there anyone human alive ther?" and got THE SAME BLOODY BOILERPLATE BACK. > Removing of course the fact that Gmail hides IP addresses. Why removing that? That's the first strike against gmail: they make it impossible to, for example, refuse all webmail from INTELSAT-CUST-VIENNA-TECHNOLOGIES-NG (to name just one of the eight or so netblocks that I do not want any webmail from, ever) without refusing all gmail webmail. For a long time that's all I did - but then Google (through the Google Groups brand, but I see little point in drawing a distinction between one of Google's faces and another) started spamming me. I've got the full story up at ftp.rodents-montreal.org:/mouse/misc/google-block.txt. > Hey, it's not Facebook's fault nobody likes you enough to invite you. :P Heh. There's a Facebook group "campaign to get der Mouse on Facebook" or some such. I get their stuff through mailing lists and occasionally to alternative addresses such as my netbsd.org one. I don't know why I don't get their spam direct; maybe back when I was still bothering to complain about spam I sent them a complaint and they added me to their remove-list? I don't find their "please sign up" line in any of my saved "spam and spam complaints" mail, which makes that unlikely (I generally save complained-about spam, and the complaints, there), but I also can't account for it any other way - I looked for any reason to think my private blocking mechanisms were responsible and found none. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] symlink creation (and sudo)
> [...] we were surprised to find the following: > % ln -s /etc/sudoers bob > % sudoedit bob > The shocking part isn't the 'sudoedit bob', but that my user is > allowed to create the symlink in the first place. sudoers is 0440, > and I'm not in its group, so I'd have expected this to fail. Why? You can symlink to any string you please. % ln -s 'any%old!string/I_happen-to~want' bob % Whether the string names a file, and if so what file, is totally irrelevant at symlink() time. Indeed, I've seen multiple things that use symlinks as, effectively, tiny files which can be read with one syscall (readlink) rather than three (open, read, close) and without needing a file descriptor. > I could have sworn that I'd be unable to symlink to a file to which I > have no read access, and my co-workers felt the same way. Not only can you do that, you can *hard*link to a file you have no read access to, on at least some systems (I just now tried it as an ordinary user and I could hardlink to an rw--- root file just fine). > Is this behaviour not tunable? Is there some knob somewhere I can > twiddle to not allow symlink creation to files to which the user has > no read access? Probably not. Symlinks don't point to files; they point to paths. It is really very hard to do what you want here. Cnsider: % pwd /home/mouse % mkdir -p foo/bar % cd foo/bar % mkdir etc % echo hello > etc/passwd % mkdir -p home/mouse/king % ln -s ../../../etc/passwd home/mouse/king/bob So far, everything has been totally sane: all my own files and directories, all perfectly reasonable. But now: % mv home/mouse/king ~ Suddenly the file the bob symlink - now accessible as king/bob from my homedir - points to is the real /etc/passwd. > But perhaps more importantly, I don't understand why I'd be allowed > to do this in the first place. Why should a generic user be allowed > to create symlinks to protected system files? Because symlinks aren't to files; they're to strings. Permissions checking is performed at the time the of access, as for any other file access; the symlink is just a redirection taking place during the path walk, affecting what file is found but nothing more. You could equally well "ln -s /etc bob" and then poke at "bob/sudoers". Or, quite possibly, just use something like "../../etc/sudoers" in the first place and forget about the symlink altogether. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] so paypal has an ignorebot now?
>> i will not stop my e-mail work flow to use a web browser and >> cut/paste. [...]. the imposition you'd be asking is way more than >> the good will i've got on hand. > I'm generally on board with this sentiment. Me too. But paypal is hardly alone in this; I just got another - and, like Paul's, it can't seem to make up its mind whether it's an ignorebot or not: [many other headers snipped] > From: ab...@eastlink.ca > Subject: Thank You > To: mo...@sparkle.rodents-montreal.org > Message-id: <0l39001x8lra6...@mta02.eastlink.ca> > > > --Boundary_(ID_MslZnpszavRKZWnl7x4ckA) > Content-type: text/plain; CHARSET=US-ASCII > Content-language: en-US > Content-transfer-encoding: 7BIT > > This disposition report relates to a message you sent with the following > header > fields: > [quote of Message-id:, Date:, From:, To:, Subject: from my spam report] > > The message has been received by ab...@eastlink.ca, however, > it has not been displayed. The reason given for not displaying the message > was the following: > > > Thank you for contacting EastLink. > > This is an automatic response. > > Please select the following link to submit all abuse reports. > http://abuse.eastlink.ca/ > > We still accept abuse mail that is addressed to ab...@eastlink.ca, but we > have found that we were not getting all of the information that is required > to investigate and resolve abuse reports. First it says they aren't reading it, then it says they do accept it. (I suppose these technically aren't in conflict - they accept it but don't "display" it - but in context I think they are.) I sent them a note pointing out the conflict. We'll see if I get a non-canned response; in at least one past case, doing so did draw a non-canned reply agreeing that the wording could use some touchup, so there is hope (though perhaps not much hope in paypal's case :-รพ). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers - here's a screenshot
> Attached is a screenshot of what a Facebook invite screen looks like. > Tell me how this is spam, please? It's not. That's not email, so it can't be spam. (Or, at least, if it is email, your MUA needs a serious security clout upside the head, letting email forge all that. And there are looser definitions of "spam" which apply to non-email, for example in the MUD world, but I doubt that's what you're talking about here.) If you're talking about the email generated by it? Well, it depends on whom you send it to, since that affects solicitedness. All the stuff I've gotten has been spam: it's email, it's unsolicited, and it's bulk. I fully expect you to deny it's bulk, since you've amply demonstrated an utter conviction that it's not spam, and that's pretty much the only even vaguely attackable point. > Be specific, so that we can discuss specifics. Why bother? You'll just deny it, and we'll have another round on the "is!" "isn't!" merry-go-round. I don't see the point. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] But Facebook are not spammers - here's a screenshot
> By "unsolicited" we don't really mean "any mail that is not in > response to an explicit request for a reply"; we really mean > something more like "any mail that is not part of an ongoing > conversation", or something like that. Not even; there are some cases in which solicitedness can be implicit. For example, mail to postmaster@ about some externally visible mail-system problem directly related to the domain or host to which the postmaster mail was directed counts as solicited to me. Similar remarks, mutatis mutandis, apply to other standard role local-parts, such as abuse@ and webmas...@. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Privacy Police Go Paranoid Against Google
> =0AWhy=0Ado people get so irrational about privacy issues? I'm not convinced it's irrational. Personally, at least, it's all about keeping the thin end of the wedge out. See xkcd #743 (and don't skip the years at the top; I did for a while and it made no sense until I noticed them). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Australian Govt. releases results of Inquiry into cyber crime
>> "AUSTRALIANS would be forced to install anti-virus and firewall >> software on their computers before being allowed to connect to the >> internet under a new plan to fight cyber crime. I can just imagine the exodus of Linux/BSD/etc users from .au /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
>> This means that [antispam vendors are] essentially in a symbiotic >> relationship with spammers, whether or not either acknowledges it. > One hardly ever sees this analysis. I'm not entirely convinced it's as true as it sounds. Not all companies exist to survive and profit; a few, especially privately-held ones, express the desires of their owner(s) instead, and it would surprise me if there weren't a few who would be delighted to be put out of business by no longer having anything to combat - Spamhaus is the first one who comes to mind as a plausible example. Probably only a comparative few, though. :( /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
